# Install mkcert with Homebrew, apk, chocolatey, apt, dnf, MacPorts, Nix, pacman, scoop, winget, zypper

Simple tool to make locally trusted development certificates. Version 1.4.4 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:mkcert
```

## Agent safety answer

mkcert creates local certificate authorities and development certificates.

- **Credential access:** Touches local trust stores and private key material.
- **Remote mutation:** Primarily mutates local trust state, not remote systems.
- **Publish/artifact risk:** Can create certificates that influence development service trust.
- **Recommended control:** Gate CA installation and private-key handling.
- **Agent-use guidance:** Allow certificate inspection; require approval before installing trust roots or writing private keys.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install mkcert
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install mkcert
```

  Evidence: MacPorts ports tree: security/mkcert/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add mkcert
```

  Evidence: Alpine Linux edge package indexes: mkcert from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install mkcert
```

  Evidence: Debian stable package indexes: mkcert from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install mkcert
```

  Evidence: Fedora Rawhide package metadata: mkcert from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#mkcert
```

  Evidence: nixpkgs package indexes: pkgs/by-name/mk/mkcert/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S mkcert
```

  Evidence: Arch Linux sync databases: mkcert from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install mkcert
```

  Evidence: openSUSE Tumbleweed package metadata: mkcert from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Chocolatey (92%):

```sh
choco install mkcert
```

  Evidence: Chocolatey community package catalog: mkcert from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','mirc'

- Scoop (92%):

```sh
scoop install extras/mkcert
```

  Evidence: Scoop official bucket manifest trees: bucket/mkcert.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

- winget (92%):

```sh
winget install --id FiloSottile.mkcert -e
```

  Evidence: Windows Package Manager source index: FiloSottile.mkcert from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:mkcert
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/mkcert>
- **Version:** 1.4.4
- **Source summary:** Simple tool to make locally trusted development certificates
- **Homepage:** <https://github.com/FiloSottile/mkcert>
- **Repository:** <https://github.com/FiloSottile/mkcert>
- **Upstream docs:** <https://github.com/FiloSottile/mkcert#readme>
- **License:** BSD-3-Clause
- **Source archive:** <https://github.com/FiloSottile/mkcert/archive/refs/tags/v1.4.4.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- mkcert (cli)
- mkcert (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, catalina, monterey, sonoma, ventura

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.4.4
- Local data: ok
- Upstream repository: https://github.com/FiloSottile/mkcert
- Upstream latest detected: v1.4.4 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

mkcert is Filippo Valsorda's small Go tool for locally trusted development certificates. It appeared in the 2018 developer conversation around localhost HTTPS and was explained by Valsorda in a January 2019 post: deployment certificates had become easier through ACME and Let's Encrypt, but development still fell back to HTTP because localhost and private development names cannot use ordinary public CA validation.

### Project history

The tool's core idea is deliberately narrow. Instead of asking each developer to memorize OpenSSL invocations or manage browser trust stores by hand, mkcert creates a local certificate authority, installs it into the system and Firefox/NSS trust stores where supported, and issues certificates for local hostnames, IP addresses, and wildcards. The upstream README also warns that the generated root CA private key can intercept secure requests from the machine, which is why mkcert is framed as a local development tool rather than production CA infrastructure.

### How it is used

mkcert became a common package-manager utility because it solves a recurring web-development pain point with one command and no project-specific configuration. Homebrew, MacPorts, Linux packages, and prebuilt binaries cover the usual developer platforms, while the README leaves web-server configuration to the user after the certificate and key are generated.

### Sources

- <https://formulae.brew.sh/formula/mkcert>
- <https://github.com/FiloSottile/mkcert>
- <https://news.ycombinator.com/item?id=17748208>
- <https://words.filippo.io/mkcert-valid-https-certificates-for-localhost/>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals
- **Approval gate rules:** 4


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Credential files

- macOS: ~/Library/Application Support/mkcert/rootCA-key.pem
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** mkcert
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - mkcert - 1.4.4-1+b18: normalized package name match | Debian stable package indexes: mkcert from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Simple zero-config tool to make locally trusted certificates | https://github.com/FiloSottile/mkcert
- Nix - mkcert: normalized package name match | nixpkgs package indexes: pkgs/by-name/mk/mkcert/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - mkcert - 1.4.4-1ubuntu2: normalized package name match | Ubuntu 24.04 LTS package indexes: mkcert from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Simple zero-config tool to make locally trusted certificates | https://github.com/FiloSottile/mkcert
- apk - mkcert - 1.4.4-r29: normalized package name match | Alpine Linux edge package indexes: mkcert from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | simple zero-config tool to make locally trusted development certificates with any names you'd like | https://mkcert.dev/
- dnf - mkcert - 1.4.4-9.fc45: normalized package name match | Fedora Rawhide package metadata: mkcert from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Make and install locally trusted development certificates | https://github.com/FiloSottile/mkcert
- pacman - mkcert - 1.4.4-3: normalized package name match | Arch Linux sync databases: mkcert from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Simple tool for making locally-trusted development certificates | https://github.com/FiloSottile/mkcert
- zypper - mkcert - 1.4.4-1.4: normalized package name match | openSUSE Tumbleweed package metadata: mkcert from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | CLI tool for making locally-trusted development certificates | https://github.com/FiloSottile/mkcert
- MacPorts - mkcert: normalized package name match | MacPorts ports tree: security/mkcert/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Chocolatey - mkcert: normalized package name match | Chocolatey community package catalog: mkcert from http://community.chocolatey.org/api/v2/Packages?$filter=IsLatestVersion&$select=Id&$top=1000&$skiptoken='11','mirc'
- Scoop - extras/mkcert: normalized package name match | Scoop official bucket manifest trees: bucket/mkcert.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1
- winget - FiloSottile.mkcert: normalized package name match | Windows Package Manager source index: FiloSottile.mkcert from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [certbot](https://www.automicvault.com/pkg/brew/certbot/) - Shares av.db curated category or tags: certificates, cli, https, security, tls.
- [certgraph](https://www.automicvault.com/pkg/brew/certgraph/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [certigo](https://www.automicvault.com/pkg/brew/certigo/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [certstrap](https://www.automicvault.com/pkg/brew/certstrap/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [crip](https://www.automicvault.com/pkg/brew/crip/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [minica](https://www.automicvault.com/pkg/brew/minica/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [showcert](https://www.automicvault.com/pkg/brew/showcert/) - Shares av.db curated category or tags: certificates, cli, security, tls.
- [acme.sh](https://www.automicvault.com/pkg/brew/acme-sh/) - Shares av.db curated category or tags: certificates, cli, security.
- [mkcert](https://www.automicvault.com/pkg/npm/mkcert/) - Same normalized package name appears in another local ecosystem. Shared terms: certificates, development, mkcert.
- [mkcert](https://www.automicvault.com/pkg/npm/mkcert/) - Same normalized package name in another local ecosystem.

## Combined YAML source

View the package source record on GitHub. [combined/mkcert.yml](https://github.com/automic-vault/db/blob/main/combined/mkcert.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- approval-gate seed metadata
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
